|
Achmed Jones posted:You don't need meterpreter for anything on the exam. You can use it if you really want, but it's by no means necessary. If you really need it, you goofed True, but there is no reason to limit yourself if you're smart about it. If there is a machine that you're struggling with and you know there's a module that does what you're trying to do effortlessly you can save yourself a lot of time. There's no shame in using it if you think you need to. Just make drat sure to choose wisely.
|
#
?
Sep 3, 2020 08:21
|
|
|
|
| # ? Apr 19, 2024 05:56 |
|
Achmed Jones posted:You don't need meterpreter for anything on the exam. You can use it if you really want, but it's by no means necessary. If you really need it, you goofed I'd use it for a quick win if I'm near my time limit and need a quick win on the last box. I'm gonna try avoid it as everything in there has another script somewhere. Or at least I've found so far anyway.
|
|
|
#
?
Sep 3, 2020 08:53
|
|
|
astral posted:Loved that one of those classic Mac OS "Desktop Security" programs was called Foolproof and simply disabling extensions was enough to stop it.
|
|
#
?
Sep 3, 2020 15:36
|
|
|
CyberPingu posted:I'd use it for a quick win if I'm near my time limit and need a quick win on the last box. I thought all it was is a collection of external scripts brought together in one handy tool?
|
|
#
?
Sep 3, 2020 15:39
|
|
RFC2324 posted:I thought all it was is a collection of external scripts brought together in one handy tool? They have to be Ruby modules Searchsploit is the database of scripts Metasploit also turns all this stuff into very much a "click and go" type thing where you just set your options (e g target host, port etc) and type run and it does it for you Other scripts you need to find how to use them, edit things you need etc. CyberPingu fucked around with this message at 15:46 on Sep 3, 2020 |
|
|
#
?
Sep 3, 2020 15:41
|
|
|
CyberPingu posted:They have to be Ruby modules Didn't realize they had to be ruby modules, but the rest is what I would expect from a tool that unifies a bunch of scripts: for the scripts to be modified to accept variables passed from the command-line(and hence passed from the organization tool)
|
|
#
?
Sep 3, 2020 16:09
|
|
|
RFC2324 posted:I thought all it was is a collection of external scripts brought together in one handy tool? It is that but meterpreter is very powerful since it automates away a lot of things for you. When you get a session established you can attempt several local privilege escalation methods automatically, migrate the process away from the unstable exploited process to a more stable one, load modules in memory like mimikatz, open up port forwards for pivoting to other networks, etc. All of which you can do manually, but it's just plumbed together really well and very easy to use. Way less error prone etc. Which is a plus when it's 4AM and you're tired. I'm not some kind of metasploit fanboy or anything but it definitely gets dunked on way too much because some people say it's not 1337 enough or whatever.
|
|
#
?
Sep 3, 2020 16:27
|
|
|
only time i'll dump on metasploit and variants are where they're used in training courses to do payload generation, etc with no attempt to show how to write your own
|
|
#
?
Sep 3, 2020 16:45
|
|
Wiggly Wayne DDS posted:only time i'll dump on metasploit and variants are where they're used in training courses to do payload generation, etc with no attempt to show how to write your own Thats not training people really, its teaching them to be script kiddies. Its why i really like IppSecs stuff as if they do use MS they then show you a way not using it too
|
|
|
#
?
Sep 3, 2020 16:53
|
|
|
CyberPingu posted:Thats not training people really, its teaching them to be script kiddies. MS is a means to a end. It really depends on what you are doing. I find its better to understand the issue of why the exploit even works so you can tell blue team how to prevent a issue like this from being a issue in the first place!
|
|
#
?
Sep 3, 2020 21:50
|
|
Balsa posted:MS is a means to a end. It really depends on what you are doing. I find its better to understand the issue of why the exploit even works so you can tell blue team how to prevent a issue like this from being a issue in the first place! Dont get me wrong its a great tool. Especially for time based poo poo like CTFs. But personally, if I was building Pen Test training id try stay away from it until the course covers how the exploits work. Its pointless getting someone to run Eternal Blue in a test environment without them understanding the whys and hows as thats not teaching someone properly how to look for things.
|
|
|
#
?
Sep 4, 2020 09:18
|
|
|
CyberPingu posted:Dont get me wrong its a great tool. Especially for time based poo poo like CTFs. But personally, if I was building Pen Test training id try stay away from it until the course covers how the exploits work. Its pointless getting someone to run Eternal Blue in a test environment without them understanding the whys and hows as thats not teaching someone properly how to look for things. and the dangers of running random exploits on systems. Don't forget that most of the NSA Exploits have something like a 45% BSOD rate.
|
|
#
?
Sep 4, 2020 14:30
|
|
Balsa posted:and the dangers of running random exploits on systems. Yep, Again, if you are pentesting, you are basically never going to use any of the DoS exploits in MS either, but if you havent been taught the difference between remote code execution and denial of service, you are just going to run whatever MS shows as a "match" for your search.
|
|
|
#
?
Sep 4, 2020 14:43
|
|
|
CyberPingu posted:Yep, Well... The RCEs can cause DoS in most of the service/kernel level exploits. MS17-10 loves to BSOD boxes that have been running too long.
|
|
#
?
Sep 4, 2020 14:51
|
|
Balsa posted:Well... The RCEs can cause DoS in most of the service/kernel level exploits. MS17-10 loves to BSOD boxes that have been running too long. Yeah i meant explicit denial of service attacks. Not accidental ones MS17 does warn you that it can do that though. Which i always found funny that exploit code comes with a usage warning
|
|
|
#
?
Sep 4, 2020 14:55
|
|
|
CyberPingu posted:They have to be Ruby modules had to do that for a iDrac exploit, had coded IP/PORT in the C code that got cross compiled into another processor (Its the same processor as the dreamcast!) Kali didn't have GCC for it anymore. that to spin up a old debian VM and hand compile it. then edit the crap out of the python script to skip the compile and just send it the elf I had hand compiled.
|
|
#
?
Sep 4, 2020 14:57
|
|
Balsa posted:had to do that for a iDrac exploit, had coded IP/PORT in the C code that got cross compiled into another processor (Its the same processor as the dreamcast!) Kali didn't have GCC for it anymore. that to spin up a old debian VM and hand compile it. then edit the crap out of the python script to skip the compile and just send it the elf I had hand compiled. Amazing.
|
|
|
#
?
Sep 4, 2020 14:59
|
|
|
CyberPingu posted:Amazing. My DA Path for that pentest was iDrac>Esxi>Old Windows Template>Extract Local Admin Password>Unused, scan network for ssh>found vsphere ssh with that password>clone DC into a new VM>extract krbtgt hash>Create domain admin user using golden ticket -- One of the more interesting pens the exploit was CVE-2018-1207 I do other hacking shenanigans over at https://www.youtube.com/watch?v=PtCk3OMeV5g
|
|
#
?
Sep 4, 2020 15:01
|
|
Balsa posted:My DA Path for that pentest was iDrac>Esxi>Old Windows Template>Extract Local Admin Password>Unused, scan network for ssh>found vsphere ssh with that password>clone DC into a new VM>extract krbtgt hash>Create domain admin user using golden ticket -- One of the more interesting pens Thats cool. theres always a reused password somewhere. Or a VM that hasnt been removed.
|
|
|
#
?
Sep 4, 2020 15:03
|
|
|
Balsa posted:and the dangers of running random exploits on systems. Last time I played with metasploit I saw the "hail mary" button and started cackling
|
|
#
?
Sep 4, 2020 18:19
|
|
|
spankmeister posted:True, but there is no reason to limit yourself if you're smart about it. If there is a machine that you're struggling with and you know there's a module that does what you're trying to do effortlessly you can save yourself a lot of time. my point is that the boxes they use on the exam are designed such that there's not going to be meterpreter win buttons. you don't have to strategize around this or "make drat sure to choose wisely" because the exams are designed not to be "lol did you pick the right module". e: iirc you were allowed to use meterpreter as your payload as many times as you want, but could only use its modules (or non-meterpreter metasploit modules) once. i could be 100% misremembering that part though e2: forgot the word "once" lol Achmed Jones fucked around with this message at 16:36 on Sep 5, 2020 |
|
#
?
Sep 4, 2020 20:30
|
|
|
I'm trying to do a couple of OSCP like boxes, but I'm stuck at privesc on a particularly difficult box. code:code:1. My low priv user is a member of ubuntu group. 2. PHP is running a DNS server with some other weird PHP program. 3. I have a valid user account and am logged in using telnet. SSH is patched and certs only. I can't find any writeable files with the ubuntu group, and I can't find any SUID/SGID/cron/etc misconfigurations that can be used. I have a hint on the box, and that is that a software exploit is the way to get root. Output from ps: code:code:
|
|
#
?
Sep 5, 2020 16:02
|
|
|
Mopp posted:I'm trying to do a couple of OSCP like boxes, but I'm stuck at privesc on a particularly difficult box. Nothing in there is jumping out at me right away, but it's also late and I'm laying in bed looking at it in my phone. Can you give any context in what this is from? Is it an OSCP lab box? Htb? Vulnhub? If you can throw me what it's on and it's something I can access I may take a stab at trying it out and doing some enumeration.
|
|
#
?
Sep 6, 2020 05:13
|
|
|
siggy2021 posted:Nothing in there is jumping out at me right away, but it's also late and I'm laying in bed looking at it in my phone. Can you give any context in what this is from? Is it an OSCP lab box? Htb? Vulnhub? The box is from an free ethical hacking course at a local school. So it's a OSCP-like lab network, and I have the general goals and hints for how to get the flags on each box. On this particular one it's privilege escalation by software exploit. I'll go over it again and see if something pops out, otherwise I'll leave it for a week and get back to it later.
|
|
#
?
Sep 6, 2020 08:08
|
|
|
`file /usr/bin/php-dns` and `cat /usr/bin/php-dns`, anything? it is likely php source.
|
|
#
?
Sep 6, 2020 10:10
|
|
|
Biowarfare posted:`file /usr/bin/php-dns` and `cat /usr/bin/php-dns`, anything? it is likely php source. Yeah, seems to be running https://github.com/yswery/PHP-DNS-SERVER. code:well, i can read the google cloud cfg file and the ubuntu user is locked. no joy there. code:So only current lead is PHP. There is a binary in the profile path, but not sure on how to exploit it if possible. code:Mopp fucked around with this message at 12:34 on Sep 6, 2020 |
|
#
?
Sep 6, 2020 10:54
|
|
|
Composer is a php dependency manager. I don't know of any exploits in it that would be helpful, unless you can perhaps abuse its search path to load code your code
|
|
#
?
Sep 6, 2020 17:56
|
|
|
It's gotta be in the PHP stuff because there's no reason whatsoever to actually run PHP DNS, and without dropping privileges no less. Can you look at the source to the DNS resolver itself? It may have something you can exploit. E: That tilde expansion code is definitely sticking out, though...Can you trick it as to what UID you're running as, and point it to a writeable directory somewhere?
|
|
#
?
Sep 6, 2020 21:45
|
|
|
Mopp posted:I'm trying to do a couple of OSCP like boxes, but I'm stuck at privesc on a particularly difficult box. Kernel exploits are generally the last thing I would try to do tbh. That php-dns thing looks VERY suspicious so I would definitely focus on that. spankmeister fucked around with this message at 22:36 on Sep 6, 2020 |
|
#
?
Sep 6, 2020 22:32
|
|
|
Subjunctive posted:It's gotta be in the PHP stuff because there's no reason whatsoever to actually run PHP DNS, and without dropping privileges no less. Can you look at the source to the DNS resolver itself? It may have something you can exploit. Yeah, I've combed this box for multiple times now and this is the only thing that sticks out. No idea on how to attack the script, and since neither that or PHP is SUID it might be best to go at the source code itself. Feels a bit hardcore for this CTF though, there are no reported vulnerabilities for PHP-DNS.
|
|
#
?
Sep 7, 2020 20:33
|
|
|
That sounds a lot harder than most of the OSCP-like boxes I've done.
|
|
|
#
?
Sep 7, 2020 21:14
|
|
|
Subjunctive posted:It's gotta be in the PHP stuff because there's no reason whatsoever to actually run PHP DNS, and without dropping privileges no less. Can you look at the source to the DNS resolver itself? It may have something you can exploit. Yeah, I mean, there is no reason to hand write the expand tilde code, there are library functions for that and it may even work passed straight into require. Moreover, it's looking at the UID when the tilde should be looking at HOME. I would bet very much that the issue is in that function. edit: that function also breaks with multiple tilde, when the tilde isn't the first character, or when the directory separators aren't lined up xtal fucked around with this message at 21:21 on Sep 7, 2020 |
|
#
?
Sep 7, 2020 21:19
|
|
|
xtal posted:Yeah, I mean, there is no reason to hand write the expand tilde code, there are library functions for that and it may even work passed straight into require. Moreover, it's looking at the UID when the tilde should be looking at HOME. I would bet very much that the issue is in that function. it looks at the UID to call the getpw stuff and then the ["dir"] key. I've never seen tilde expansion for home directories work when the tilde isn't the first character. /tmp/~user/thing shouldn't expand to /tmp/home/user/thing, for example require doesn't expand tildes on its own, and I don't know of a library function that does other than the ones that work their way out to shell execution. what do you have in mind?
|
|
#
?
Sep 7, 2020 21:38
|
|
|
Subjunctive posted:it looks at the UID to call the getpw stuff and then the ["dir"] key. I've never seen tilde expansion for home directories work when the tilde isn't the first character. /tmp/~user/thing shouldn't expand to /tmp/home/user/thing, for example So, I googled this to find out, and the code here is exactly the same: https://compwright.com/2013-09-03/tilde-expansion-in-php/ As for your example about tilde expansion, I'm agreeing with you, but the provided function that uses str_replace would replace the tilde no matter where it is and no matter how many times it occurs. I was thinking there must be a library function that handles tilde expansion in a way that accounts for those edge cases. Maybe realpath? E: The strpos call is checking for one tilde at the start, but that's all. xtal fucked around with this message at 21:56 on Sep 7, 2020 |
|
#
?
Sep 7, 2020 21:46
|
|
|
xtal posted:Maybe realpath? afaik realpath just deals with symlinks and . or .. path components. I think POSIX only acknowledges tilde expansion within shell commands, and has nothing to say that open("~thing/foo") is different from open("./~thing/foo")
|
|
#
?
Sep 7, 2020 21:52
|
|
|
Since I have most experience with Ruby I was looking toward File.expand_path which does work for home directories. But since its just copied from somewhere else anyway, it may be a red herring. That snippet is at least 7 years old though so maybe there are some bugs with it that you can research.
|
|
#
?
Sep 7, 2020 22:28
|
|
|
xtal posted:So, I googled this to find out, and the code here is exactly the same: Composer file and PHP dns might be related There was an exploit where composer doesn't check the validity of the download source https://cxsecurity.com/issue/WLB-2015050082 This is usually done by arp spoofing but maybe you can do something cool with phpdns since you can change the DNS json config file via command line.
|
|
#
?
Sep 8, 2020 04:39
|
|
|
This all seems a bit convoluted for the average OSCP-like boot2root VM. It should be simpler than that I would think.
|
|
#
?
Sep 8, 2020 17:39
|
|
spankmeister posted:This all seems a bit convoluted for the average OSCP-like boot2root VM. It should be simpler than that I would think. Yeah that's what I've been thinking too. Like, it's not the worst idea to do boxes that are tougher than the OSCP ones. But you might end up overthinking the exam when you get in.
|
|
|
#
?
Sep 8, 2020 18:42
|
|
|
|
| # ? Apr 19, 2024 05:56 |
|
|
I'm guessing it's not actually that involved and somethings been overlooked. Maybe ~/.composer/vendor/autoload.php is world writeable in /root and was missed, for example
|
|
#
?
Sep 9, 2020 03:44
|
|